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Abstract: Multiple fault diagnosis is a difficult problem for dynamic systems. Due to fault 
masking, compensation, and relative time of fault occurrence, multiple faults can manifest in 
many different ways as observable fault signature sequences. This decreases diagnosability of 
multiple faults, and therefore leads to a loss in effectiveness of the fault isolation step. We 
develop a qualitative, event-based, multiple fault isolation framework, and derive several notions 
of multiple fault diagnosability. We show that using Possible Conflicts, a model decomposition 
technique that decouples faults from residuals, we can significantly improve the diagnosability 
of multiple faults compared to an approach using a single global model. We demonstrate these 
concepts and provide results using a multi-tank system as a case study. 
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1. INTRODUCTION 

Multiple simultaneous faults in a system add significant 
complexity to the fault diagnosis problem, especially in 
dynamic systems. Fault masking, compensation, and the 
relative time of fault occurrence give rise to many different 
ways that multiple faults can manifest in the system 
observations. As a result, isolating multiple faults becomes 
a difficult task. The larger the number of faults considered, 
the more possible ways their effects can interleave, making 
it less likely that the fault candidates can be uniquely 
isolated given a set of measurements. 

Typically, multiple fault diagnosis (MFD) solutions apply 
to static systems, e.g., (de Kleer and Williams, 1987). For 
dynamic systems, (Dvorak and Kuipers, 1991) performs 
qualitative and semi-quantitative simulation to mimic the 
evolution of the process, changing the configuration of the 
model every time a fault appears. (Nyberg and Krysander, 
2003) integrates FDI techniques for fault detection and 
DX techniques for fault isolation that can automatically 
handle multiple faults in dynamic systems. 

Our previous work in MFD for continuous systems (Daigle 
et ah, 2007; Daigle, 2008), based on a qualitative fault 
isolation (QFI) framework (Mosterman and Biswas, 1999) 
described how multiple faults manifest in the measure- 
ments, and provided algorithms for fault isolation. This 
approach was based on using residuals computed from a 
global model. Since faults affect all measurements that 
have a causal path from the fault to the measurement, 
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fault masking can have a significant adverse impact on 
multiple fault diagnosability. 

Using analytical redundancy relations (ARRs) approaches, 
diagnosability is improved by deriving relations that de- 
couple faults from residuals, so that a single fault affects 
only a small set of residuals (Gertler, 1998). This decreases 
the possibility of masking, and, as such, should intuitively 
lead to improvements in multiple fault diagnosability. 
In this work, we explore this idea using the model de- 
composition approach of Possible Conflicts (PCs) (Pulido 
and Alonso-Gonzalez, 2004), which is a dependency- 
compilation technique that automatically partitions the 
system model into minimal over-determined subsystems, 
based on the set of measurements and faulty components. 
PCs are designed to be triggered only by faults within its 
subsystem, thus decoupling faults from residuals. 

In this paper, we develop a qualitative, event-based frame- 
work for multiple fault diagnosis that takes advantage of 
model decomposition. We develop several notions of mul- 
tiple fault distinguishability that are applicable depending 
on what assumptions the user is willing to make. We 
define multiple fault diagnosability and provide a means 
to quantify it for a system. Using a tank system as a case 
study, we show how using residuals derived from PCs im- 
proves multiple fault diagnosability of a system, and how a 
combined approach using residuals derived from both the 
global model and the PCs further improves diagnosability. 

The paper is organized as follows. Section 2 describes 
preliminary material. Section 3 reviews residual generation 
and model decomposition using PCs. Section 4 overviews 
the QFI framework and Section 5 describes event-based 
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Fig. 1. Tank system schematic. 

fault modeling. Section 6 establishes distinguishability and 
diagnosability of multiple faults within our framework. 
Section 7 applies the framework to a tank system case 
study. Section 8 concludes the paper. 

2. PRELIMINARIES 

We assume the system is described by 

x(f) = f (x(t),0(t), u(t)) + v(f) 
y(t) = h(x(t), 9{t), u (£)) + w (t), 

where x(f) £ K nx is the state, 0(t) £ JR™ 8 is the parameter 
vector, u(£) £ is the input, v(t) £ IR" 1 ' is the 

process noise, f and h are the state and output equations, 
respectively, y(t) £ R" ! ' is the output, and w (t) £ is 
the measurement noise. 

We denote a measurement as m, which refers to an output 
variable in y, and a measurement set as M . We consider 
abrupt parametric faults, with faults modeled as persistent 
unexpected step changes in system parameter values. We 
name faults by the associated parameter and the direction 
of change, e.g., 9 + denotes a fault defined as an abrupt 
increase in the value of parameter 9. We denote a fault as 
/ and a set of faults as F. 

In MFD, a candidate is defined as a set of faults. 

Definition 1. (Candidate). A candidate c C F is a set of 
faults. The set of all candidates is denoted as C. 

For example, the candidate {/i,/ 2 } (in shorthand, / 1 / 2 ) 
implies that both /1 and /2 have occurred. 

In this paper, we focus specifically on the diagnosability of 
a system with multiple faults. That is, we study the distin- 
guishability of candidates in C within our fault isolation 
framework. In this paper, we do not take minimality of 
candidates into account, i.e., we still want to be able to 
distinguish between candidates C\ and C 2 even if c\ C C 2 . 
Working with minimal candidates in our framework is 
described in (Daigle et ah, 2007; Daigle, 2008) and more 
generally in (de Kleer and Williams, 1987). 

Throughout the paper, we use a multi-tank system as a 
running example. A number of tanks are connected serially 
(see Fig. 1). For tank i, m is the input flow, C, is the tank 
capacitance, and P.j is the drain pipe resistance. For tanks 
i and j, Rjj is the connecting pipe resistance. For an n- 
tank system, the pressure of tank i, pi , is described by 

Pi = (u.i + - qi - <7m+i) + Vi, 

where Vi is the process noise for tank i, qi = j is the 
output flow of tank i, and qty+i = R , 1 ( fii — Pi+\) is the 


flow between tanks i and i + 1. For tank 1, go,i = 0, and 
for tank n, q n ,n + 1 = 0. 

The complete fault set F consists of {Cfi . Clfi , Rfi , R,f : 
i = 1, . . . ,n} U {R~ l+1 ,R+ i+ i : % = The 

complete measurement set M is defined as {pi , q t : i = 
1, . . . , n} U {qi. 1 : i = 1, . . . , n — 1}. We consider single 
and double faults to form the candidate set C , so there are 
\F\ + (^) = 8 + 28 = 36 candidates 1 . 

3. MODEL DECOMPOSITION 

In our previous approach (Daigle et al., 2007; Daigle, 
2008), a global system model was used for residual gen- 
eration. An observer, based on the global model, is used 
to estimate the system behavior based on the set of mea- 
surements (Mosterman and Biswas, 1999). This estimate 
is then used to compute a residual, r, for the measure- 
ment, i.e., r is computed as the difference between an 
observation, y, and its predicted nominal values, y, i.e., 
r(t) = y(t) — y(t). Therefore, we compute a residual for 
each measurement of the system. We denote a residual 
as r m , where m is the associated measurement, and the 
residual set is denoted as R. 

With model decomposition methods, like PCs, the global 
model is decomposed into a set of minimal over-determined 
subsystems, each with a single output (one submodel per 
measurement) 2 (Pulido and Alonso- Gonzalez, 2004). We 
define residuals in the same way, only the predicted output 
y is computed using an observer based on the submodel 
computing y. The submodels are made independent of each 
other by using measurements as inputs to the submodels. 
As a result, a single fault is found in only a few submodels 
(ideally, one submodel), and, therefore, a fault affects only 
a subset of the residuals and is decoupled from the rest. 
Intuitively, this decoupling should improve multiple fault 
diagnosability. For example, if two faults do not affect 
any common residuals, we should be able to distinguish 
between the situation where only one of the faults occurs 
and both have occurred. With the global model approach, 
without such decoupling, one fault may completely mask 
the other, preventing distinguishability. 

Applying the PCs approach to an n-tank system with 
M = {pi : i = l,...,n} we find a set of n minimal 
submodels. Each PC, PC*, estimates the pressure in one 
of the tanks, pi, and can be described in a general way as 
follows: 

. (Pj-i-Pi) ( Pi ) (Pi-Pi+i) \ 

Pi Pi-1, i Ri P M + 1 P 

where Pi is the state variable, Ui is the input to the 
tank, p'i_i and p' +1 are the measured pressures of tanks 
i — 1 and i + 1 that are used as input for the PC, and 
{Ci, Ri, Pj,i_i, Pj,i+i} is the subset of (fault) parameters 
that affects the estimation of PC). For example, using 
the PC approach with a three-tank system with M = 
{pi , P 2 , P 3 } we find three PCs, each one of them estimating 
the pressure in one of the tanks. 

1 Note that our approach is not limited by candidate cardinality. 
We focus here only on single and double faults for demonstration. 

2 PCs have been demonstrated to be equivalent to other structural 
methods for residual generation, such as minimal ARRs (Pulido and 
Alonso-Gonzalez, 2004). 



Table 1. Fault Signatures and RMO for the 
Global Model of the Tank System. 


Table 2. Fault Signatures and RMO for the Set 
of Minimal Submodels of the Tank System. 
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r p 1 

r P2 

r P3 

Measurement Orderings 



Cf 

+- 

0 + 

0+ 

r P 1 

-< 

r p2 ’ 

r P 1 

-< 

r P 3I 

r P2 

-< 

r P3 

R+ 

0+ 

0 + 

0+ 

r pi 

-< 

r P2> 

r Pi 

-< 

r P3- 

r P2 

-< 

r P3 

Rf 2 

0+ 

0 - 

0- 

r P2 

-< 

r P3 







Cf 

0+ 

+- 

0+ 

r P2 

-< 

V P1, 

r P 2 

-< 

r P3 




R+ 

0+ 

0 + 

0+ 

r P2 

-< 

r P 1, 
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r Pi, 
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r P3 
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R+ 

0+ 

0 + 

0+ 

r P2 

-< 

r Pi, 

r P3 

-< 

r P 1, 

r P3 

-< 

r P2 


4. QUALITATIVE FAULT ISOLATION 


Faults cause deviations in the measured variables from the 
nominal values. Residual deviations are abstracted using 
qualitative +, and 0 values to form fault signatures 
(Mosterman and Biswas, 1999). Fault signatures represent 
these deviations as the immediate change in magnitude 
and the first nonzero derivative change. 

Definition 2. (Fault Signature). A fault signature for a 
fault / and residual r is the qualitative change in mag- 
nitude and slope of r caused by the occurrence of /, and 
is denoted by er f r e 

Note that due to possible ambiguities in the fault signa- 
tures, <jf, r may not be unique. A fault signature is written 
as S 1 S 2 , where si is the qualitative magnitude change and 
S 2 is the qualitative slope change, e.g., -+. 

We also capture the temporal order of residual deviations 
for a given submodel, termed relative measurement order- 
ings (RMOs), based on the intuition that fault effects will 
manifest in some parts of the system before others (Daigle, 
2008). They are computed based on analysis of the transfer 
functions from faults to residuals defined for measurements 
within a submodel. 

Definition 3. (Relative Measurement Ordering). If fault / 
manifests in residual r, before residual rj, then we define 
a relative measurement ordering between r,; and rj for 
fault /, denoted by -</ r , . We denote the set of all 
measurement orderings for / as Glf,R- 

Because RMOs are defined only within a given submodel, 
they cannot be straightforwardly computed between resid- 
uals of two different submodels because they are indepen- 
dent. Such RMOs will not be considered when using PCs. 

Signatures and RMOs can be computed automatically 
from a system model (Daigle, 2008). Table 1 shows these 
for the global model of a three-tank system with F = 
{Cf ,Cz ,Cz ,Rf ,R% ,R% ,Rt 2 ,Rt 3 }, M = {Pi,P 2 ,P 3 }, and 
R = {r Pl ,r P2 ,r P3 }. Signatures derived from the PCs with 
residuals from the same measurements are shown in Table 
2. In this case, each residual is only affected by a subset 
of the faults, e.g., Cf , causes a discontinuous increase in 
r Pl for both approaches, followed by a smooth decrease, 
denoted by the signature +-. This is followed by smooth 
increases in residuals r P2 and r P3 for the global model, but 
no effect appears in these residuals for the PCs. 

5. EVENT-BASED FAULT MODELING 

Fault signatures combined with RMOs provide event- 
based information for diagnosis. For a given fault, the 


Fault 

r pi 
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Measurement Orderings 
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00 
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0 

R+ 
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00 

00 

0 
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00 

0 
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00 

+- 

00 

0 

R+ 

00 

0+ 

00 

0 

D + 

Jrl 23 

00 

0+ 

0- 

0 

Gf 

00 

00 

+- 

0 

R+ 

00 

00 

0+ 

0 
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Fig. 2. Some fault models (obtained using the global 
model), where R = {r pi ,r P2 ,r P3 }. 

combination of all fault signatures and measurement or- 
derings yields all the possible ways a fault can manifest 
in the residuals. We define each of these possibilities as a 
fault trace. 

Definition f. (Fault Trace). A fault trace for a fault / over 
residuals R, denoted by \f,R, is a string of length < \R\ 
that includes, for every r G R that will deviate due to 
/, a fault signature a f <r , such that the sequence of fault 
signatures satisfies £lf,R- 

This definition implies that fault traces are of maximal 
length, i.e. , a fault trace includes deviations for all resid- 
uals affected by the fault. We group the set of all fault 
traces into a fault language , represented by a fault model 
whose accepting states correspond to maximal traces. 
Definition 5. (Fault Language). The fault language of a 
fault / € F with residual set R, Lf t R, is the set of all 
fault traces for / over the residuals in R. 

Definition 6. (Fault Model). The fault model for a fault 
/ £ F with residual set R, is the finite automaton that 
accepts exactly the language LfR, and is given by Cf,R = 
( S , so, £, (5, A) where S' is a set of states, so G S is an initial 
state, £ is a set of events, U S x E -> S is a transition 
function, and A C S is a set of accepting states. 


Fault signatures and RMOs can be composed automati- 
cally to form the fault models (Daigle et al., 2009). Selected 


fault models for a three-tank system are shown in Fig. 2. 
For example, as seen in C R + R , the fault R 23 may manifest 


1 the fault traces r° r?+ r°+, r°+ r° r°+, and r°+ r°+ r° , 


as implied by the fault signatures and RMOs. 


Fault models describe how single faults manifest in the 
residuals. But, candidates consist of multiple faults, so 
may manifest in much more complicated ways due to fault 



masking and the relative occurrence times of faults. The 
traces that result from multiple faults consist of interleav- 
ings of the fault signatures produced from the constituent 
faults. In our diagnosis scheme, we only observe one fault 
signature per residual. A second possible signature due to 
a different fault cannot be produced, since the model has 
changed since the introduction of the first fault, and there- 
fore there is no nominal reference with which to produce 
the second signature. Further, the traces from multiple 
faults must still respect the measurement orderings of the 
constituent faults (Daigle et al., 2007). 

As an example, take and R with R = {r Pl ,r P2 ,r P3 } 
(see Fig. 2). According to the fault models, the first 
observed deviation must be in either r P2 or r P31 as either 
(from i? 3 ), or either r°+ or (from i?J 3 ). Say that 
is observed. The next deviation must then be ?’°+ 
(from either R 3" or i?J 3 ). In the fault models, we project 
out the events for residuals that have already deviated, 
and that gives us the next set of possible events. Candidate 
traces continue to be built up in this way. 

We can now begin to define the notion of a candidate 
language. We start by defining a candidate subtrace , which 
extends our earlier notion of a fault trace and is based on 
the notion of a prefix. 

Definition 7. (Prefix). A trace A * is a prefix of trace A j, 
denoted by A; C A j, if there is some (possibly empty) 
sequence of events A that can extend A i s.t. A^Afe = A j. 
Definition 8. (Candidate Subtrace). Given residuals i?, A = 
(Jo is a candidate subtrace for c C F, if <j 0 C A' £ L f p> for 
some / £ c. A = Aicq+i is a candidate subtrace for c C F, if 
A i is a candidate subtrace for c, and crj + i CA' £ Lfj 
for some / € c, where i?j is the set of residuals that have 
deviated for subtrace A 

We are only concerned with maximal traces, i.e. , those for 
which all residuals that will deviate for the faults of the 
candidate have deviated (as with fault traces). 

Definition 9. (Candidate Trace). Given residuals I?, A is a 
candidate trace for c C F if for all f £ c, = 0, 

where Ri is the set of deviated residuals for A. 

Now, we can define the language of a candidate c, T Cj _r, as 
the set of candidate traces for c. 

Definition 10. (Candidate Language). The candidate lan- 
guage for candidate c with residual set R, is the set 

of all candidate traces for c over the residuals in R. 

Similar to fault models, we can define candidate models. 
Definition 11. (Candidate Model). The candidate model 
for a candidate c with residual set R, is the finite automa- 
ton that accepts exactly the language L c P!l and is given 
by £c,r = (S', soi £, 8, A) where S' is a set of states, so £ S 
is an initial state, £ is a set of events, d:SxS— >S is a 
transition function, and A C S is a set of accepting states. 

Accepting states correspond to maximal traces. For single 
faults, the fault languages and fault models define the 
corresponding candidate languages and candidate models. 

Conceptually, fault isolation works by observing the se- 
quence of residual deviations and mapping that to consis- 
tent candidates by checking the candidate languages or by 



Fig. 3. Candidate model C c - R + R (obtained using the 
global model), where R = {r pi , r P2 , r P3 }. 

tracking the candidate models. This can be implemented 
efficiently online and does not require precomputation of 
the candidate languages or models (Daigle, 2008). 

6. DIAGNOSABILITY 

Distinguishability of candidates is derived from the candi- 
date languages. A general definition of distinguishability 
is as follows. 

Definition 12. (Distinguishability). With residuals R, a 
candidate c,; is distinguishable from a candidate Cj, de- 
noted by Ci oo R Cj, if Ci always eventually produces effects 
on the residuals that Cj cannot. 

Within our framework, a basic implementation of this 
definition is expressed as the following proposition. 
Proposition 13. (Strict Distinguishability). With residuals 
R, a candidate Ci is strictly distinguishable from a candi- 
date Cj if there is no A i € where for some A j £ L Cj p>, 
A i C A j . 

For example, consider the single fault candidates shown in 
Fig. 2a and 2c, and the double fault candidate shown in 
Fig. 3, which use residuals from the global model. Clearly, 
Cfi and R^ are distinguishable from each other, because 
the first observable deviation is different for the two faults. 
But, Cfi and Cfi R$ are not distinguishable from each 
other, and neither are R$ and Cfi R% . The reason is that 
one fault can completely mask the other, e.g., ^ p fiT p t r P t 
may be observed either because Cfi has occurred by itself, 
or because Cfi and I? 3 have both occurred, and R ^ has 
been completely masked. 

But, the decoupling introduced by PCs can eliminate some 
of this masking. Fig. 4 shows the candidate models for 
these candidates with the PC-based residuals. Since r pi is 
decoupled from R ^ , and r P3 is decoupled from Cfi , if both 
faults occur together, we see deviations in both residuals 
and either fault by itself will not be consistent. Therefore, 
CfiR^ is distinguishable from both Cfi and R$ . However, 
the converse is still not true, i.e., Cfi is not distinguishable 
from Cfi R^ . If Cfi occurs, then we see r+ _ , which so far, 
is consistent with both the single and the double fault. We 
then have to wait infinitely long to ensure that r P3 does 
not deviate and confirm that Cfi has occurred by itself, 
and so we say they are not distinguishable. 

In practice, however, this is a fairly strong distinguisha- 
bility requirement to be working with. If Cfi occurs and 




Fig. 4. Candidate models (obtained using the PCs) where 

R = { r pi ) r p 2 t r P3 } ■ 

we see r p ~ , then, since it is not possible for the effects of 
Cfi to mask the effects that will be produced by Rl j~, if it 
happens to occur, we will definitely see evidence for it (i.e. , 
). So, before we see such evidence, we are safe in assum- 
ing that .Rg" has not also occurred. In this case we want 
to be able to say that Cfi is distinguishable from Cfi . 
This leads to a new implementation of distinguishability. 

Proposition 14- (Partial Masking Distinguishability) .With 
residuals R , a candidate Cj is distinguishable under partial 
masking from a candidate Cj if (i) Ci C Cj and R Ci (~l 
Rcj-a = 0 or if (ii) Ci and Cj are strictly distinguishable. 

Here, the notation R c C R refers to the subset of the 
residuals that will deviate due to candidate c. Applied to 
our example in Fig. 4, this says that, since it is not possible 
for Ci to mask any of the residuals that R% affects, we can 
say Ci is distinguishable from Cfi (since Cf C C q R$ 
and R c - (~l R c - R +_ c - = 0 )- Similarly, we can say R$ 

is distinguishable from Cfi R$ . A weaker version of this 
distinguishability implementation allows partial masking 
but disallows complete masking. 

Proposition 15. (Complete Masking Distinguishability). 
With residuals R, a candidate c, is distinguishable under 
complete masking from a candidate Cj if (i) c.i C Cj and 
R c -a R Ci or if (ii) Ci and Cj are strictly distinguishable. 

For example, if both Cfi and R$ also affected some other 
residual other than r Pl and r P3 , and Cfi occurs and we see 
r p ~, then even if we see this other residual deviate, we 
are somewhat safe in assuming R^ has not yet occurred, 
because if it does we will eventually see evidence for it. 

We can improve distinguishability even more if we can 
confidently observe the lack of a deviation, e.g., by assum- 
ing that faults will cause residual deviations at most x 
seconds after they occur. That is, if a fault should affect 
some residuals r\ and ?’2 and we have observed r\ deviate, 
but r-i has not deviated x seconds since r \ was observed to 
deviate, then we can assume that fault has not occurred 3 . 
In this case, distinguishability checks only for common 
candidate traces and the prefix of traces does not matter. 
Proposition 16. (Weak Distinguishability). With residuals 
R, a candidate Cj is weakly distinguishable from a candi- 
date Cj if L c . iR n L c . tR = 0. 


3 In practice, this can be difficult to achieve because it would be 

affected by fault magnitude, sensor noise, and properties of the fault 

detectors. 


Table 3. Diagnosability results for F = 
{Ci ,C 2 ,C 3 


M 

Distinguishability 

Global model 

PCs 

Combined 


Strict 

522 (0.41) 

196 (0.16) 

179 (0.14) 

M 

Partial masking 

522 (0.41) 

164 (0.13) 

147 (0.12) 

lVlp 

Complete masking 

522 (0.41) 

154 (0.12) 

137 (0.11) 


Weak 

522 (0.41) 

62 (0.05) 

62 (0.05) 


Strict 

448 (0.36) 

335 (0.27) 

305 (0.24) 

AA 

Partial masking 

448 (0.36) 

329 (0.26) 

299 (0.24) 

lVlq 

Complete masking 

448 (0.36) 

314 (0.25) 

284 (0.23) 


Weak 

448 (0.36) 

314 (0.25) 

284 (0.23) 


With distinguishability defined, we can now begin to define 
diagnosability. Diagnosability assumes a given implemen- 
tation of distinguishability. It depends on the set of can- 
didates being considered and the chosen set of residuals. 
First we define a system. 

Definition 17. (System). A system S is a tuple (F, C, M, 
R, Lc,r), where A is a set of faults, C = {ci, C 2 , . . . , c„} C 
2 f is a set of candidates, M is a set of measurements, R 
is a set of residuals, and L c ,r = { L Ci ,r , L C2 .r, . . . , 
is the set of candidate languages. 

Here, the set of candidates does not have to be the full 
powerset 2 F , e.g., it may include only single faults, single 
faults and double faults, etc. 

A system is diagnosable if all pairs of candidates are dis- 
tinguishable for the given implementation of distinguisha- 
bility. If diagnosable, then we can make guarantees about 
the unique isolation of every candidate in the system. 
Definition 18. (Multiple Fault Diagnosability). A system 
S = (C, F, M, f?, Lc.r) is diagnosable if (Vc,;,Cj £ C) 

Ci Cj ==> d oo R Cj. 

Even with PCs, in many cases we do not expect complete 
diagnosability, therefore, we introduce a diagnosability 
score in order to compare different approaches. For a 
candidate set C, the score is computed as the number of 
indistinguishable candidate pairs. The worst possible score 
is 2(^). 4 * We compute the normalized score, describing 
the fraction of undiagnosability, as the diagnosability score 
divided by the worst score. 

7. RESULTS 

As a first scenario, consider the three-tank system with 
F = { Cfi , Cfi , Cfi -Pi . R 2 . R,{- .Ry 2 - Rr'a } an d two different 
measurement sets M p = {pi,P 2 ,P 3 } and M q = 

Table 3 shows the diagnosability results using both mea- 
surement sets for PCs and the global system model for 
each one of the four distinguishability definitions. For this 
example, the worst possible score is 2( 3 2 6 ) = 1260. In 
the table, the columns show the measurement set used, 
the distinguishability definition, and scores for the global 
model and PC approaches, respectively. Normalized scores 
are shown in parentheses. 

From the results, diagnosability using PCs is clearly much 
better than using the global model. Also, the improve- 
ment is much more substantial for M p than for M q , since 
measurement set M p provides more decoupling. This is 

4 The factor of 2 appears because distinguishability is not a sym- 
metric property. 




Tanks 

Fig. 5. Scalability of diagnosability. 

consistent with the intuition that decoupling improves di- 
agnosability. Comparing the distinguishability definitions, 
we see that using weak distinguishability is the best in 
all cases, followed by complete masking, partial masking, 
and strict distinguishability. This is expected, since weak 
distinguishability definition is least restrictive, and then 
complete masking, partial masking, and strict. 

Here, many candidates can be distinguished using PCs 
compared to the global model. However, there is also a 
small subset of candidates that can be distinguished using 
the global model, but not using the PCs. For example, 
consider distinguishing Cf from R P2 . With the global 
model, we can distinguish these candidates because they 
produce different effects on r P2 and r P3 (see Table 1). With 
PCs, however, if Cf Rf occurs and we see r p +, then Rf 2 
remains consistent and we will not see another deviation in 
order to eliminate it, so they are not distinguishable with 
strict, partial masking, and complete masking definitions. 

Therefore, improvements in diagnosability can be achieved 
in an approach that combines the residual sets from both 
the global model and the PCs. In such an approach, two 
candidates are distinguishable if they are distinguishable 
using either the global model-based residuals or the PC- 
based residuals. The fifth column of Table 3 provides the 
diagnosability results in this case, confirming that in all 
the cases, a combined approach provides results equal to 
or better than the approach with only PC-based residuals. 

Although we cannot obtain complete multiple fault di- 
agnosability in this case, sometimes it can be achieved. 
For example, consider F = {Cf , C 2 ,C 2 } and M p = 
{pi,P 2 ,P 3 }- Here, it is not diagnosable for PCs with strict 
distinguishability (score of 6 (0.2)) and the global model 
(score of 18 (0.6)), but otherwise we get perfect diag- 
nosability. This occurs because the faults are completely 
decoupled from each other by the PCs. In fact, whenever 
the measurement set is such that we get full decoupling 
with PCs, we will always achieve perfect diagnosability 
for any of the distinguishability definitions. 

It is also interesting to investigate the scalability of these 
diagnosability properties. We computed diagnosability 
scores for 2-6 tanks (see Fig. 5). The worst possible score 
increases significantly as the number of tanks increases, 
because each tank adds three new faults to the system. 
The scores for the global approach increase as well, but at a 
significantly smaller rate. For the PC-based diagnosability 
results, the growth rate is reduced even further. In fact, 
when using weak distinguishability, the scores for the PC- 


based approach, for 3 tanks and higher, increase at a linear 
rate, with only 30 new indistinguishable candidate pairs 
being added for each new tank. Clearly, diagnosability 
scales much better with the PC-based approach. 

8. CONCLUSIONS 

In this work, we have presented a qualitative, event-based 
framework for multiple fault isolation with PCs. The de- 
coupling of faults from residuals provided by PCs leads 
to a great improvement in multiple fault diagnosability 
since the possibility of fault masking, when multiple faults 
occur, is reduced. We have established a definition for mul- 
tiple fault diagnosability within our framework, providing 
several notions of distinguishability. Diagnosability analy- 
sis of a system may then be used to determine the expected 
amount of ambiguity after QFI, and which ambiguities 
will need to be resolved by more expensive quantitative 
methods. 

Experimental results on a multi-tank system show the 
improvement of multiple fault diagnosability when PCs 
are used instead of the global system model. Moreover, 
using a combined approach of global model- and PC-based 
residuals, we obtain further improvements in diagnosabil- 
ity. Diagnosability is also more scalable with the PC-based 
approach, and in fact, diagnosability scores grow only 
linearly for the tank system using weak distinguishability. 

In this paper, we considered only single and double faults 
for the case study, but, in future work, we will study how 
the approach scales with candidates of higher cardinality. 
Also, we will extend this approach to develop an MFD 
framework including multiple fault identification. 
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